Moving Towards Outdoor EMV

August 23, 2018

Agenda• Housekeeping• Presenters• About Conexxus• Presentation• Q & A

HousekeepingThis webinar is being recorded and will be made available in approximately 30 days. • YouTube (youtube.com/conexxusonline)• Website Link (conexxus.org)

Slide Deck • Survey Link – Presentation provided at end

Participants• Ask questions via webinar interface• Please, no vendor specific questions

Email: info@conexxus.org or webinars@conexxus.org

Presenters Conexxus Host & ModeratorLinda Toth, Director of Standards, Conexxusltoth@conexxus.org

SpeakersSimon Siew, Director of Payment Solutions, Dover Fueling Systemssimon.siew@doverfs.com

Willie Nelson, Payment Marketing Manager, Gilbarco Veeder-Rootwilliam.nelson@gilbarco.com

Dan Harrell, Chief Innovation Officer, Invenco Group Limiteddan.Harrell@invenco.com

About Conexxus• We are an independent, non-profit, member driven

technology organization• We set standards…

– Data exchange– Security– Mobile commerce

• We provide vision– Identify emerging tech/trends

• We advocate for our industry– Technology is policy

2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company

May 24, 2018 QIR in the World of Retail Petroleum Chris BucoloTodd Rosen ControlScan

June 21, 2018 How can we leverage data science to more effectively detect security threats?

Thomas DuncanAshwin Swamy

Omega ATCOmega ATC

July 26, 2018 Roadmap to a Vulnerability Disclosure Program Joe Basirico Security Innovation

August 23, 2018 Moving Toward Outdoor EMV

Linda TothWillie NelsonSimon SiewDan Harrell

ConexxusGilbarco

Dover Invenco

September 20, 2018 Your Systems Are Talking to You! George Sconyers Omega ATC

November 2018 Building a Scalable Security Engineering Team Joe Basirico Security Innovation

7

NACS ShowOctober 7-10, 2018

Las Vegas, NV

Conexxus thanks our 2018 Annual Diamond Sponsors!

Booth 6147

What is EMV? EMV is a set of international standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic data specific to the card and the transaction, with

the goal of devaluing transaction data in flight and reducing the risk of counterfeit fraud.

EMV has become the world-wide standard and both U.S. neighbors, Canada and Mexico, have EMV mandates effecting U.S. multi-national retailers.

EMV is the stepping stone to the future of payments due to its dynamic data authentication (Contactless, Mobile, QR Code).

In the context of EMV, encryption is only used to protect the PIN. Does not encrypt all of the transaction data

Payment Regulatory Standards – EMV and PCI

A primary goal of EMVCo and the EMV Specifications is to help facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices. This objective extends to new types of payment devices as well, including contactless payment, mobile payment and QR Payment Code.

PCI PTS Regulatory Roadmap

Requirements Version Used During Evaluation At Laboratory

Expiration of Requirements

Approval Expiration Of

Device Models

Version 5.x of PCI PTS POI Security Requirements April 2020 April 2026

Version 4.x of PCI PTS POI Security Requirements Sept 2017 April 2023

Version 3.x of PCI PTS POI Security Requirements April 2014 April 2020

Version 2.x of PCI PED or EPP Security Requirements April 2011 April 2017

Version 1.x of PCI UPT Security Requirements April 2011 April 2017

Version 1.x PCI PED or EPP Security Requirements April 2008 April 2014

EMV Liability Shift DatesU.S. Card Terminal Liability

Prior to October 1:- 2015 POS- 2017 AFD XBorder- 2020 AFD US Dom

Mag stripe only Mag stripe only Issuer

AfterOctober 1, 2015For POS In-store

Mag stripe only Mag stripe only IssuerEMV chip Mag stripe only Acquirer/Retailer

Mag stripe only EMV chip IssuerEMV chip EMV chip Issuer

After October 1, 2017For AFD XBorder

EMV chip Mag stripe only Acquirer/Retailer

AfterOctober 1, 2020For AFD US Domestic

EMV chip EMV chip Issuer

There is no EMV liability shift on contactless or lost/stolen fraud transactions

75150

300

400

520

Today 2018 2019 2020 2021

US Contactless Card Forecast (M) (2 in 5 cards in the US will be Contactless by end of 2021)

Source: Juniper Contactless Payments Report, 2017-2021

Foundation for innovation and enabler for next generation payment experiences including wearables and connected devices

Card brands heavy promotion as a secure, fast transactions and seamless implementation process (certification)

Contactless

Chargebacks from Visa - VFMPStarting July 2017 to October 2020, retailers with domestic AFD fraud may be put into 2 categories:

Standard Program

monthly basis thresholds met or exceeded:o $10K in domestic counterfeit fraud, ando 0.2% domestic counterfeit fraud amount to domestic sales

ratio

Excessive Program – Starting November 17

monthly basis thresholds met or exceeded:o $10K in domestic counterfeit, and o 2.0% domestic counterfeit fraud amount to domestic

sales ratio

Merchant Actions:• Month 1 – notification to acquirer• Month 2 – 4: acquirer works with merchant to

reduce fraud below threshold• Month 5: if fraud not reduced, chargebacks enforced

Merchant Actions:• Month 1 – immediate chargebacks enforced• Must remediate: keep fraud below these levels for 3

consecutive months

If the merchant is unable to reduce its counterfeit fraud levels below program thresholds 12 months after it has entered the program, it may lose Visa acceptance privileges.

New Pump and Retrofit Options

• New pump and OPT warranty

• Must be UL certified for safety• Fits most existing fuel pumps• Less expensive EMV option• New warranty on pay at pump terminal

AFD – PCI and EMV Readiness

Contactless Reader

EMV L1

Hybrid CHIP Reader

EMV L2 & PCI

PCI PTS Devices

EMV L3

EMV L2 kernel for Contact and Contactless

POS or EPS SW

AFD – EMV hardware and software

• Secure Hybrid Card Readers – EMV L1

• Contactless Reader – EMV L1

• EMV Contact & Contactless kernel – EMV L2

• PCI PTS Certified Devices

Complete Terminal

IP Connect

AFD OPT to POS/EPS on TCP/IP

AFD OPT to POS/EPS on TCP/IP

• Run new CAT 5 cables

• Using existing wires - need TCP/IP converter

• TCP/IP Converter – Wired or Wireless

+ +

Device manufacturer Device manufacturer + EPS provider

PCI and EMV Approval Life Cycle

Contactless Reader

EMV L1

Hybrid CHIP Reader

EMV L2 & PCI

PCI PTS Devices

EMV L3

EMV L2 kernel for Contact and Contactless

POS or EPS SW

EMV L1: 4 years

Complete Terminal+ +

EMV L2: 3 years

PCI PTS: 10 yearsPCI PA DSS: 3 years

Steps to Enable EMV – A long process and in phases

AFD EMV ReadyConfigurations

ContactlessEMV?

No Yes

Install ContactlessReader Kits

Purchase/Install EMV Application

TCP/IP Connectivity

Ethernet Converter

EMV Enabled Controller

POS/EPS System

Host Enables EMV EMV Enabled Site

EMVPaymentProcessor

AFD EMV Enabled

18

Hardware Deployed –only Mag Enabled

2nd Trip – EMV Software Installation

Hardware Deployed –only Mag Enabled

Cloud distributed EMV Software Installation

Hardware Deployed –EMV software

installed and turned on

Dual Trip: Hands OnSingle Trip: Cloud

Activated Single Trip: Big Bang

Deployment Models - Experiences

EMV Enabled Site EMV Enabled Site

EMV Enabled Site

• Two service trips• Hands on monitoring• Increases logistical issues

• Single installation trip• Remote monitoring• Synchronization challenge

• Single installation trip• Hands on monitoring• Logistical and

synchronization challenge

Lessons learnedCustomer User Experience

• Card insertion experience

• Authorization speed

• Combinations with loyalty and Chip Card

Network Infrastructure• IP configuration• Connectivity integrity – old wires problem

Training• Employee – Managers and Cashiers• Customers- Start advertising early

TCP/IP Converter

Additional Opportunities with EMV upgradePoint to Point Encryption

Media Assets Tracking / Diagnostics Dispenser Security

• Drive in-store sales• Ad revenue models• Drive brand awareness

• Conexxus Asset Standard• Manage uptime• Better customer experiences

• Enhance security

• Conexxus standard protocol• Reduce PCI scope for store systems

• Website: www.conexxus.org• Email: info@conexxus.org• LinkedIn Profile: Conexxus.org• Follow us on Twitter: @Conexxusonline